Mass data retention & collection regimes used by member states must be subject to strict privacy safeguards as outlined under EU law, says a landmark legal judgement.
The European Court of Justice (CJEU) has declared that legislation, such as the UK’s contentious Investigatory Powers Act (IPA) 2016, cannot legally require a service provider to indiscriminately retain traffic & location data for national security purposes.
Rights to Privacy
Indiscriminate data collection contravenes rights to privacy & data protection, despite “national security” justification.
National surveillance legislation in these countries require telecommunications companies, including Internet Service Providers (ISPs), to retain personal data on an ongoing basis, so that it can be accessed as & when necessary by law enforcement agencies.
Critics, including prominent privacy activist groups, have labelled these practices as ‘intrusive’ & ‘disproportionate’, however, also referencing the potential for abuse. The case was brought forward by Privacy International, who argued that regimes such as those commonly in use are illegal under EU law, which in this case supersedes national legislation.
Member states, in particular the UK, France & Belgium, must adhere to the Privacy & Electronic Communications Regulations (PECR), better known as the e-Privacy directive, when drafting legislation.
The judgement also declared the data retention practices ‘incompatible with the fundamental rights of privacy, freedom of expression, as well as data protection’ as outlined by the e-Privacy Directive & legislation such as GDPR. Specifically, the data processing activities by ISPs, such as the transmission to public authorities, are not compatible, even for reasons relating to “national security”.
“The ruling is particularly significant because it makes clear that EU law applies, even in the national security context, if a member state’s surveillance law requires a telecommunications provider to process personal data,” Privacy International observed.
“The govts. of EU countries are legally compelled to ensure that the retention, access & subsequent use of any data meet specific requirements. These requirements, often referred to as ‘safeguards’, are crucial to ensure that there is a proper balance between the privacy of the individual & the protection of the public.”
The kind of communications data collected under such regimes include traffic, location, subscriber data, & any other data including metadata – surrounding communications, although the content of a communication is exempt.
Whereabouts & Intentions
Information, however, can be used in order to determine information about contacts as well as a person’s whereabouts & intentions. Map searches, device information, search engine results & location information, for example, can be combined to glean information about potential suspects.
“This data makes it possible to find out the identity of people with whom a user has communicated & by what means, to identify the time of these communications, & the places from which those communication originated,” Privacy International further added.
Frequency of Contact
“Importantly, communications data also reveals the frequency of contact of the user with specific people during a given period.”
While the ruling is clear in that such powers, as outlined in the IPA 2016, are not compatible with EU law, the judgement does ‘open the door’ for their use in exceptional circumstances.
In cases where a member state is facing a serious imminent threat to national security, the CJEU states law enforcement may deviate from their legal obligations to retain & collect data as is necessary, for so long as is necessary.
The powers can also be used in a specific, targeted way, where the intention is to combat serious crime & prevent threats to public security. There must, however, be safeguards in place, & such practices as well as the application of these safeguards must be reviewed by a court.
The judgement also raises questions regarding the future relationship between the UK & the EU, especially with regards to the UK retaining data adequacy status.
With the IPA 2016 seemingly incompatible with EU law with respect to data processing, maintaining the UK’s indiscriminate data collection regime may not be seen favourably unless amendments are made.